zipcode/ipsec.conf

## ipsec.conf
## Install strongswan and use this config file

## How to do key management:
## Make a root CRT. Do this on a secure machine, not the VPN endpoint.
# openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=My VPN root" -out root.crt
## Make a conf file
# cat > openssl.cnf << EOF
# [ usr_cert ]
# basicConstraints=CA:FALSE
# nsComment                       = "OpenSSL Generated Certificate"
# subjectKeyIdentifier=hash
# authorityKeyIdentifier=keyid,issuer
# subjectAltName=email:move
# EOF

## Make server keys
# export FQDN="your.server.fqdn"
# openssl genrsa -out server.pem 2048
# openssl req -new -subj "/CN=$FQDN" -key server.pem -out server.req
# openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:$FQDN"))
## Copy server.crt to your droplet in /etc/ipsec.d/certs/server.crt
## Copy root.crt to your droplet in /etc/ipsec.d/cacerts/root.crt
## Copy server.pem to your droplet in /etc/ipsec.d/private/server.pem
## Add ": RSA server.pem" to /etc/ipsec.secrets
## Clean up:
# rm server.pem server.req

## User certificate request
# openssl req -newkey rsa:2048 -new -subj "/CN=user@your.vpn/emailAddress=user@your.vpn" -keyout user.pem -out user.req
## send user.req to your CA machine

## On your CA machine
# openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
## send user.crt and root.crt back to your user/user machine

## On your user machine
## Makes a bundle of your cert and secret key
# openssl pkcs12 -export -out user.p12 -inkey user.pem -in user.crt
## This should now be importable in OSX

## Finally, set up your user machine as an IKEv2 IPSec client.
## Note that OSX presents user settings as "Certificate" "Username" and "None". Choose "None".
## After you've chosen "None", you can select a certificate anyway. This is a different option than the
## menu item. Choose your user certificate.
## Set the "Remote ID" to the server's fqdn as per the certificate.
## Set the "local ID" to the user's email address, as per the certificate.
ca root
     cacert=root.crt
     auto=add

config setup
	# strictcrlpolicy=yes
	# uniqueids = no

conn vpn
     keyexchange=ikev2
     leftauth=pubkey
     leftcert=server.crt
     leftid="@your.server.fqdn"
     leftsendcert=always
     leftsubnet=0.0.0.0/0
     rightauth=pubkey
     rightca="CN=My VPN root"
     rightdns=8.8.8.8
     rightsourceip=10.0.99.0/24
     auto=add
	## Install strongswan and use this config file

	## How to do key management:
	## Make a root CRT. Do this on a secure machine, not the VPN endpoint.
	# openssl req -x509 -newkey rsa:4096 -days 90 -subj "/CN=My VPN root" -out root.crt
	## Make a conf file
	# cat > openssl.cnf << EOF
	# [ usr_cert ]
	# basicConstraints=CA:FALSE
	# nsComment = "OpenSSL Generated Certificate"
	# subjectKeyIdentifier=hash
	# authorityKeyIdentifier=keyid,issuer
	# subjectAltName=email:move
	# EOF

	## Make server keys
	# export FQDN="your.server.fqdn"
	# openssl genrsa -out server.pem 2048
	# openssl req -new -subj "/CN=$FQDN" -key server.pem -out server.req
	# openssl x509 -req -CAcreateserial -days 90 -in server.req -CAkey privkey.pem -CA root.crt -out server.crt -extensions usr_cert -extfile <(cat openssl.cnf <(echo "subjectAltName=DNS:$FQDN"))
	## Copy server.crt to your droplet in /etc/ipsec.d/certs/server.crt
	## Copy root.crt to your droplet in /etc/ipsec.d/cacerts/root.crt
	## Copy server.pem to your droplet in /etc/ipsec.d/private/server.pem
	## Add ": RSA server.pem" to /etc/ipsec.secrets
	## Clean up:
	# rm server.pem server.req

	## User certificate request
	# openssl req -newkey rsa:2048 -new -subj "/CN=user@your.vpn/emailAddress=user@your.vpn" -keyout user.pem -out user.req
	## send user.req to your CA machine

	## On your CA machine
	# openssl x509 -req -CAcreateserial -days 90 -in user.req -CAkey privkey.pem -CA root.crt -out user.crt -extensions usr_cert -extfile openssl.cnf
	## send user.crt and root.crt back to your user/user machine

	## On your user machine
	## Makes a bundle of your cert and secret key
	# openssl pkcs12 -export -out user.p12 -inkey user.pem -in user.crt
	## This should now be importable in OSX

	## Finally, set up your user machine as an IKEv2 IPSec client.
	## Note that OSX presents user settings as "Certificate" "Username" and "None". Choose "None".
	## After you've chosen "None", you can select a certificate anyway. This is a different option than the
	## menu item. Choose your user certificate.
	## Set the "Remote ID" to the server's fqdn as per the certificate.
	## Set the "local ID" to the user's email address, as per the certificate.
	ca root
	cacert=root.crt
	auto=add

	config setup
	# strictcrlpolicy=yes
	# uniqueids = no

	conn vpn
	keyexchange=ikev2
	leftauth=pubkey
	leftcert=server.crt
	leftid="@your.server.fqdn"
	leftsendcert=always
	leftsubnet=0.0.0.0/0
	rightauth=pubkey
	rightca="CN=My VPN root"
	rightdns=8.8.8.8
	rightsourceip=10.0.99.0/24
	auto=add